As I began down the dismal path of studying for my (ISC)² SSCP certification I ran across an interesting concept in my study guide called “keystroke dynamics.” Basically it’s a form of 2-factor authentication that allows users to authenticate not only by password but also by the way in which they type their password.
What’s interesting is it is one of the only forms of biometric authentication that can be implemented at little cost with currently available technology. Of course there are cons to KSD (don’t get arthritis!) but if you give users the option to authenticate by KSD OR via a series of the usual what’s-you-mother’s-maiden-name questions, I believe this could be practically implemented.
KSD relies on analyzing dwell time (the time a user keeps a key depressed) and flight time (time between typing one character and the next). This data is recorded and then transmitted along with your password. If there is too much delay between the valid dwell time or flight time access is denied.
I thought I’d attempt a web implementation using PHP and JavaScript. You can see the results of this endeavor by playing with the demo below. It captures dwell and flight differences in milliseconds and if you are within the valid omega for each and posses the valid password you will be granted access.
I was playing with the mathematics behind this the other day and it seems like this would make it exponentially harder for an attacker to brute force a user’s password. If we take the dwell and flight omegas I use in the demo below (120ms and 100ms respectively) and let’s suppose from person to person dwell times deviate approximately 400ms and flight times can deviate 1000ms we can calculate how many more combination are possible in a standard 8 character password:
(400ms / 120ms) * (1000ms/100ms) = ~33 unique ways you can type one character
(400ms / 120ms)^8 * (1000ms/10)^7 = ~152,415,790,276 ways to type an eight character password
This means, even if an attacker knew your password (ie. saw you type it or by means of keylogger) he would then in theory have to try all the 152 billion possible ways to type the password.
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
13 Responses
November 17th, 2008 at 12:39 pm
This is a very interesting addition to secure login systems.
I’m curious, however: what if a person’s typing habits change over time? Where does one draw the line when determining the omegas? Those values can’t be too loose because that creates opportunities for less-than-secure password entry, but too-tight omegas might not allow changing habits to authenticate. Is there some mechanism to accommodate this?
Great articles!
January 4th, 2009 at 10:51 am
I often type my password one-handed after returning from lunch, with sandwich in other hand. This would throw off my timing, no doubt. Not that this invalidates your points, but it is a scenario to consider in pondering such security mechanisms.
January 5th, 2009 at 9:24 am
Yes, I suppose you would have to put your sandwich down before typing… this is probably a show stopper IMO.
Actually, come to think of it, you could ‘set’ your password one handed from the beginning, that way you could use your free hand for a plethora of activities. Problem solved.
February 5th, 2009 at 8:16 pm
First car breathalyzers, and now THIS?
March 26th, 2009 at 4:49 pm
Actually, I found it fun to just type the middle row of keys (asdfghjkl) to the beat of “Another One Bites the Dust”, and it said I was good to go so long as I typed to that same beat.
Any chance I could use this for a personal website?
March 26th, 2009 at 6:48 pm
I think the user learns to type their password consistently over time. If you get too used to it then you can go too fast but you know it has to be just a certain way or you don’t get in. Each time you get it right the easier it is to remember the next time. You might not always type the same way but you know to always type your password the same way.
March 26th, 2009 at 6:53 pm
On the other hand if your work area is bugged then determined hackers could analyze the sounds and copy your password typing pattern though they’d still have to get the actual password through some other trickery.
March 26th, 2009 at 7:09 pm
what would happen if you had a few too many?
March 27th, 2009 at 3:27 am
Hello,
If you want, I can give you a complete study I did in the year 2002 where I implemented a prototype using keystroke dynamics.
March 27th, 2009 at 8:05 am
Maybe I’m using it wrong, but I can’t get the demo to let me log in. I set pwd, one I never use so it’s new to me. I tried to log in three times, but each time there was too much variation. Then I tried to set another new-to-me pwd, and also hit “set dwell and flight”. It let me in after hitting that, but then when I tried the same pwd again, there was too much variation again.
There may be a problem here. If you accommodate klutzy typists, the system loses security. If you don’t, us klutzes will become unemployable and have to file for disability.
March 27th, 2009 at 9:07 am
This is really cool. Though I used december and had a hard time getting it to match up. maybe 2 out of 5 times. I guess I’m not a very consistent typer. This would be a struggle then if you password changes every month and you have to keep trying to get it to match up to a new pattern.
March 27th, 2009 at 11:38 am
This is an interesting idea, and as to the question of how to deal with someone’s typing habits changing over time it seems to me all you have to do is re-save the user’s dwell and flight numbers on every successful log in; the way someone types doesn’t change rapidly, it happens slowly over time.
It would run in to problems, though, as others have mentioned in instances when your typing pattern changes by requirement (i.e. holding a sandwich), this would prevent people from logging in on cell phones or other devices. But it would work well as a intranet security from a single terminal.
March 29th, 2009 at 6:56 am
Hi. Really interesting concept. A lot of sites let you simply cut/paste in your passwords. So it seems only a few keystrokes would be measured, regardless of the length of the password. But if you really want security, cut/paste wouldn’t be allowed.
Leave a Comment